SSO/OpenID: Use a mobile-redirect route (Fixes #2379 and #2381) #2386
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR modifies the oauth flow to always provide a https callback (which on mobile the ABS server will redirect to the app link). Also it will enable 3rd party app support as different app-callback urls are possible.
/auth/openid/mobile-redirect
this will redirect to an app-link like audiobookshelf://oauthredirect_uri
parameter with the app-link in the authorization request to /auth/openidThe user needs to allow redirect-uris for mobile applications in the ABS settings, because they are now hidden from the SSO provider.
I set as default
audiobookshelf://oauth
, the user can also add multiple others, or just provide an asterisk allowing all URLs (or even delete the default). This way we can easily support 3rd-party apps.In the SSO Provider, as valid redirect_uris the user now has to set:
or if his auth providers supports wildcards, simply:
I also thought about adding a another route after the auth-request where the user is not directly forwarded to the auth provider, but to an ABS page, where ABS explains that an App wants to login. Similar to the idea suggested in #2381
However Im not sure if it would make sense, because usually the user knows in which App he is... and it does not increase security because the App name provided can simply be faked.
But if we want to do it for some reason anyways, it is possible on top of this PR.
Still a (third party) app can - and maybe should - provide a
client_id
in the first request with the Apps name which we could use later (possibly for logging, statistics, user sessions list etc.). I also provided it in the mobile PR.Also the mobile app (or 3rd party app developers) now need to provide their redirect url as app-link in the auth request to
/auth/openid/auth
While everything is standard oauth2, I will probably provide some guidelines in the API docs of how a 3rd party app dev can use the oauth endpoints.
Required Mobile app change: advplyr/audiobookshelf-app#969